For those of you who know me, Henry was my basset hound, and the fictitious name used during (ahem) special research. I'm a former intelligence officer, a professional analyst, and a blogger since 2004 writing about my experiences on the journey --information security, cyber intelligence, education, thoughts. Some love my writings others hate it. If you like it, follow me!

Saturday, January 16, 2016

Work with the government? Get ready.

NIST SP 800-171 is designed to protect controlled unclassified
information (CUI) outside of the government, and for those who bid on
contracts, several new GSA regulations are being put in place that state that
every company must now attest to the fact that they have a security program in
place, and (report to the government) when they have a breach that affects CUI.

I’m not a huge fan of compliance models, and this is no
different, but it’s a step in a direction that’ll both be praised and
criticized. Why praised? Because this is a huge step forward in a national plan
for cyber reform. Is it perfect? Not by a long shot but you fill the ocean one
drop at a time. Why criticized? Several areas where this is going to require
some attention. I’ve been down this path before as both in private industry and
as a government guy. I’ve seen the argument from both sides and understand
both.

The
new rules are going to require that protection of CUI in non-federal systems.

What exactly is CUI? I’m not asking for the definition of CUI,
rather exactly what is the CUI that the government wants protected? Give me a
list of key components in that widget. If we lose them to espionage actors, I’ll
tell you.

How many pieces of CUI has the government defined, in how many
contracts, that must have extra controls and be reported if lost during a cyber
event? Is there a central repository where these things are stored? Can I log
in and search for the list of things my contract requires me to protect?

How has the government protected my CUI? Should we use the same controls as defined by
the government when they don’t work? Was OPM FISMA compliant? 800-53?

Do the authors of the rule understand that the vast majority of
the companies that this will affect have no idea what those actors look like on
the wire, and have very little ability to protect themselves? In the last 30
days I’ve talked to two companies –one 1500 people and one 11,000 people. Both
are heavy satellite suppliers to NASA and DoD –but neither had a designated
Chief Information Security Officer or security team.

So
here’s the deal

There is no way that a company who does any kind of work will
escape the requirement to report breaches to the government; and don’t plan on
using their tech –Einstein is old tech, and not available for your use. So what
should you be thinking about?

I run a small business. We audit our systems annually, and must document
our security, attest to several of our customers. If you’re not prepared, this
can be a huge cost sink. I get asked the question all the time… How do we do it?

Place your systems behind those who have the ability to protect them. Regardless of cloud or on-premise, there are some great MSSPs out there that can protect your data at the baseline level. If you need more specialization, look for more specialized providers. MSSPs are a great way to get good protection at a reasonable price --it's far less than building it yourself.

Our data is segmented into multiple levels of sensitivity and we protect them each differently. What could you afford to lose? What must you never lose? When you get that CUI list, what level of protection and monitoring will that require? As an example, we use cloud services for some of our data for our
lowest levels of sensitivity –public facing stuff, but we put motes around private data in diverse locations for more sensitive data.